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MFTII* m FOR «Kn } RK USt , I Hi- PROPAGATION 0f A \ IRtS \\ ITIHN 
A NETWORK 

The present invention rotates so the propagation ofvirows through a network of 
interconnected men - . > ,;it a and more particularly ,» reducing cwne or 
i ) }U ! 

In ctutem tKtvork , v ot»r»t:tts* ~ j > » ^ >m v „ivo e* rsatone 
time or another wo ,< one or more other hosts. s (or example m the case of 
an IT environment, a host m the form of a computer (sach as a client, a server, a 
router, or even a printer for example) is frequently connected to one or more other 

Internet. Alternatively, in the ease of a cormnnmcauons technology environment, a 
o mk on, t I t n v K \ 1 U i , f j ^ po v 

' ! fron hue tot t evitabi 

result is thai the opporitmi ties for the propagation of viruses are enhanced as a result:, 
o example in the c tttt computer virus ki i < th D Red s rus, emet 
assrariiat i wit) - host the virus operate t< aerat m et Protocol f IP") 
addresses of other potential hosts at random, and then instructs the host to send a copy 

$ he ich of those random! ; i i oft! 

potential hosts are genuine (since the IP addresses are randomly generated.}, sufficient 
of the randomly generated addresses are real addresses of further hosts to enable the 
varus to sell ps p< < i p.idh tfrt th stemet, and as a resit t to cause a 
substantial d < s i * ■* < N * . ot n i , n : , , v i te yo.e\> comp atmg 
infrastructure. 

^ 1 » t * - •> » . n v j w s j t \iVvn 

< < k \l > s t> „ , t H jm 4 j v ^ > est one > 

mote teho o , \ ^ , a t K \ t , m n „ , c j Mrt . 

es v usnwyact > < s i 1 s l 
subsequent to its suroiUuio tay u o see. rums fleets wit n that first h t 
such as corruption tmckor tkknon of flies, ha addition the virus may cause self- 
piorvmuun to o>eo - ore mm o" { at -> - „> < v 1 eac.s t yratlar 
corruption, deletion and further 11 p > v * - AUemanveh the vmn may merely 
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>c assimilated wit ehrs t v< cau - ; deleienous effe s vvhatsoex ! \ 
i <- poy; e 1 io o- v > r ,<. f \ < -,\ i - v. n <_ ' ii, > v sls^, h as h vt ct s 

effects, such as, for example corruption and or deletion oi files, in yet a further 
it niw ena 5unr> na\ T wrnpio vrm o ated ^ ohm a first host 
S cause itself to be propagated o multiple other hosts within the network, The virus 
*nnh s s \, t p !\r^' n ww- ti l<kc 

n thro te n wo k nay be of a sufficient 

n • , „ a v . , x l »\ u ith'srt r,iftk soAi 

the performs < less afTectes cUieu 5 marme The 

10 thi<_ ,i s ! v 1 1i t ")i 

% ■ . >ii ,e^ : ^ ( h ? f -i>.od^ !!; aao w.o a\ ^w ? I I fi m m 

■wen s , , si . - , f^ts jsoee te kw 

effects upon either one or more hosts, or the network infrastructure as a whole, one of 
15 tht m< | » verse such effects 

is the speed of propagation of a vims. Human responses to events are typically one or 

^ O'-. vJhl so 

• ^ ' 1 1, dtiYiculti.es are <. |s » v apt to arise within a network before any human 
network administrator is or aware of die problem, or capable of doing anything to 
20 rerrsed £ 1 a! ran - virus throng 

mmwod k oi t Us to limit any negative effects ! * U 

remedy them, 

\or ding to ftts v > t v.? <s wentior rc sprox ded; method o 
25 < < \ i n nm. 

the steps ot 

■s ! s > * w- m b s w n 

nciudiuf east data unite: id ties of hosts contacted by the first 

host; and 

30 hunting network traffic from the first host over the course of a first time 

< xv' " s < JUI W K s i > , < K>vt 

r trained number of os h he record 



h *» 5 < ho t i ) p e j s d) which 

u p J \ u v. i ■> 

t J here t m ! > \ , >te< 

5 3sO > 4 , ' < ! ! , , s , , , 

qptproprute d upda the reco tc i thy of a host, i 
She f m time interval < which — not in the record durme the first uroe interval 
update K ou ti v n k oe i - - fere; e so a asbsequeo; arm huervai 

10 < 5>>s,\ ^ j \v v ,\ ' % < x s ik ? h of eonneetion \ he^ rut 

i ( l " < ^ v s losN 11 Kl W t < ! ^ M Mti 

however is di cm 5 tyykx \ i virus attempts tc 

»' f ' « > ,}n > t!< < V M, sf t M m to 

i ttvd M-g u he; i c > contacted hosts P I therefore k 
15 il ol n » .so \v no is b< t * i u is „ < u } v j l5>u v , 0 w) ^x, ,k 
norfse, hut a -outoc^ntv rest noli ve effect upon viral traffic. 

J ep of a Mr,- c n„d s> t < > s k it 

may be attempted directly, or via an intermediate or proxy host Thm foi exarapk m 
20 thecal vu vhich propa es th< c j ,r of en ti the virus m v 

tsclf to one or more other hosts within the network, 

J t !t * M 1 ^ s i US, S| 1 x „ , ( it 0s ; , 

«f 1 i « hi * ;ru^ isui! s , ^ i »o x . * s 

1 1 >uch an eroa.il n h \ 

25 M i J , J < i t \ j. ) x . | ly | *j v 

therefore, although ostensibly only one other host within the network, re. the mail 

» 1 «. ! » f e' v j ^ Si njra i 

pk.od. ^< ! tn s < . M s«, , t , < i 

m. \ t s i „ > >ht \ , no -> « s a v , n.d 

3h c and in one xamplc ieved h h rrs ddresseeoi 

s< > , w v 0v . >s ' o ii «ngt 
* N s , > , ? | i , v & mis oo 



4 

Et«bodTT«ente.0f.tiic- i»vmt|pR : : w|II m.w be describee, by way of example, and wife 
reference to the accompanying drawings, in which: 

5 g I c « « " s I i» "5 v ! *ii nhn ut v v a ^ , ^ . 

S 

Figs. 2\~D are schematic illustrations of network traffic tarn a first host of the 

i v 1 A ' I * * N t A 

Fig. 3 is a flow chart operation of an aspect of a method according to the 

1 0 present invention; 

! »s «4 \ < s ' < ,e doss near . i M . c \ r> ,..,v; ; \ e , N > k j 
according io the present invention; 

\ 5 Figs. SVC illustrate a further embodiment of method according to the present 
invention; and 

Fig. 6 -is a flowcha asps imptemo 
Fig, SC. 

20 

Referring now to Fig. 1 : a network, which in the present illustrated example is an 
infonmtionn, ^ ^ >o 5 p e , • 

a workstation 10 winch is iyp.icahy a personal computer tor exanigke a mail server 12 
I ^ > s - v t in s„\o t S p i r 

25 i 1 o>.> t t > t <• s » > , ■> v 

erverkSs my c( \ h n n x i 

esu s - n * x i < tJ n i< > f 5 

x U s one of which IS ted under the d non A. N 

c * k «. * M PltU) |pi || ? 

30 of the present embodiment of the present invention. 

Fhe v< kstatin? 10 run? ; lmaot> y fp> e proy mn one us tl\ iter « 
programmes operating at different levels withso what may be thought of as a software 
1 x-nxr \ r .'k-' Loss -> t art such ax* tlu * 
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vmksbuio v ic botsom of ihc s; I * fbo other programmes, such as 

t v w X t l t i u Uj 

dtmeltv with the hardware of the workstation for the purpose of. for example 

i i h - A J % v 1 < i i I 

5 tiles ed workstation etc.. Examples, 5 1 0 

> \w v *. ' a 1 v lie 

receipt and dispatch of email from the mail server 12, a web browsing pTogrp»me»,a: 
' , n < t enabling < - it - and < ' s * < > ? t and 

instant e, - software enabling the t v . , receipt of ASCII text messages 
10 dtret I >&nd en s within the network in additi e stack in ides 

)'wl ^ ( ^ « -> * > ; » w 

workststtor s \ - xmtrmm 

of the present invention, a further software programme, Virus Ants -Propagation 
software (V APS), runs * hhh » the stack adjacent the networking software. 

15 

^ \l ;ac;s^ t c it w a > fot al wrth< ond data from the w orks 1 1 1 

operates to restrict the propagation of viruses within the network by linn tsng the 
, \n iMv-v^h'jJ n w 1 u ' ^lv 1 v v m: OA, as t< 
behaviour in contacting other hosts. In accordance with one aspect of the presort! 

20 tm networks noi nal netwo k traffic (i e 

o >■ \ « < so; re. >..o , t t ' e\ •. etc 1 \ 0 , «♦ , , to 00 t 

withtn the rmtwork which have previously not been contacted. hi contrast, viraliy- 

f J f s a t ! •> iv. n%v ^ t ah urn t 

f ( t 'jet U> 0 < % j ! n< * „ u - fr ihs> v. ' . n>i 

25 of the VAPS is to rmpede virally-reiated traffic, while allowing non-viradiy related 

1 N O V t ' g < ' > ,' 1 V 

psrates upon the has ha series t rvah ,v it ovs v whsch in tht 

tinnpieareof predt nd cor t I ans g ven 

t.x, si e \ t v * *s « « x n . ^J. K K tK s » t ; u t - 1 
30 votwwtnm more th.w a > ok t ,vd > v ot s new " hosts, i.e. hosts whose 

identities differ tons those specified in a record of Adenitises of destination hosts most 
recently contacted. The record only holds a predetenMrned number N of destination 
host jdsnmte ! tied as new- if i s not one of the N 

moss reeeatl > contacted destination ho^tc "The number of new hosts showed per time 
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wmdow, and the valus hh, an. kieruh sd oa the basts ofa pok;\, p \t!K defined 
by a system administrator, and the policy ts preferably formslated to take i c< n of 

limit the speed at which a virus resident on the host may propagate from that host to 
5 other hosts within the network . 

1 h : \ Ou' 1 K 3 Ppvi s 

>ro ( Mining i rks seodrecou x 1 s < onnect and 

seed data to other hosts widen she network h'outbouml requests'"}; the email 
10 s , i < p' < * \ i - < 

r»ul ! K < i\i i nO!%0: \ .1 M i 

ipplie « una < ; ep;v-eh o et h< ic sen r H Serve n 

0 < sau &\ eo n i i\ 

"o^-e^o.^nroivr, V.^v v ncVt h h-N, t vs \\ o, v; 

I S m order to contact a site external to the subnet within which the workstation 10 is 
locate* quest i ni >r« tmpie, outl e c VAPS from 

each of these hosts are each actually requests to provide a connection to an identified 

f ! i ' * T vVWJ 

rr ' 5 uo > ? ? ^ ^ u\ 

20 > t v. I f ! S 111 V } < S. > 

0U, is V- W < ; s H W 

s iterpretedJ i o secern mmy 

indication that com i this ma] tot 

esampie he provided s 1 ' hi r nisskm \t 

25 l is , > . 1 , > , ,k,i v s > s , 

s e, > n t j 

tomungpat >« hex** < - i s j i s ss gkcpW! 

during die course of hits routine will now he described m sore detail with reference 

1 "> k s < ^r its ■> s. s \ , 0 , , 

30 Fig, 3 ewweoeem die > ' s- w thee u'>'t ^ >,<» n. ^ 

S ^ i » * 1 t S S ~> i, 0x3>S.t> 

v s > e ated to the 

s \ whereupon the process within the VAPS which processes the requests is 
eesoed ttt step 3 ; hl h'port passing into the VAPS, the identity of the requested 

PDNO 300201860 



destination host specified in each packet is matched with a dispatch record in winch 

v det tats* apredcn rnned number N tuineh s example i.-> f destination 
hosts most recently contacted in the previous time window are stored {and which are 
shows for each time window in Fig. 2Bg m order to determine whether the requested 
destination host is a new hose as represented at step 304,. h>. the present example, 
somewhat artificially, bat nonetheless serving to illustrate the principles underlying.- 

.psssunnwu i <n tU n , i mr v ] j ^ t „ u<ow J( ot h 
workstation 10. The VA.PS therefore matches the destination host identities tor each 

! n Requ sts A-C a s n i s «. < u t s> i < p) tort! 
tamponed wL? x o d s i s ^ o - - p w c 

the three hos ft s i the id orksomon hi 

M >em ecm the am e ;n ! <. i l > ^ ; h ,io v.ViutA'u 
identities retained in the default dispatch record are those of the mail server 12 
(Request A), the file server 14 (Request B) and the web proxy server 16 (Request Ck 
* { t > d <. u < mm \ s ivl ; CO v it p-n^j 

Tl identity a host destination matching one of the three host identities in the default 

* f c he Requ« is seek 

a new destination host, the V APS transmits each request at step 306, and in the 
present example this means that it allows a connection with each of these hosts to be 
>mm < 'r ,,j <* v" ieioqta t ? » s , the graph of 

Fig. 2D, which has the same tee scale as Figs 2A.C, meaning thai the temporal 
eiatio > tween evet si snared tr ea< h d th se graphs can be mad v 
appreciated. 

During the course of the second tone interval '12, three further outbound requests 
identifying host de^nrmOons "intranet Peer 0 ^ \ . To K .owe P> which as 
indicated above corresponds to the File Server 14) and "intranet Peer 2" (Request £) 
are received by the VAPS from: an instant messaging application programme (in the 
c^se of Requests D and f and the % v -i» j.<o Mr at the ease of Request 

B. As in the pre* sons dm . w udo<x . as each \ eque o passes to the YAPS, and as 
p c t as x ah. vd u » j 4 t t t u. t a, cm n 

iatehed i the identities pres tin < iispafel eeord2!2 f he dispatch record 

' mlvdi n hwrm \^im^ « dfm* mcna-m sjsioe c. 
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to the default dispatch record). Upon receipt of Request IX the VAPS establishes at 

p that "s K s? \ t \ i i 

ksn ! 5 ho 1 jereupos request is dented, ami is instead stored in o 

5 I n f ! s i s re illustrated schema 

Fig 2C (she delay buffer is shown m Fsg. 2C on each occasion that, lis contents 
change* li i i n f <* s ' <h<. , hr I o*. ^ m ! o n 1 so the ; \ 'hi - * ~ edhei 
! v > w the request is 

d n o or tra:ism;ss;on of the request (illustrated so Fig 2D) when the request is 

presen , s \ seen in Fig 

1 > h , k i 1 ; ifh ^ v i ^ -J-.o.t <. OU UOOOte " , i X h 

k u* ) i \ ' i I \ s - % 

S 5 This, at the end of the hue period 12, no requests for connection to mew destination 
hosts ho t i two new requests. At thi 

juncture I i.e. at end of time period T2), the policy which the VAPS is designed to 
implement comes into play, h the ■present example, too policy provides that a single 
t \ h in i npkirt-reJ 

form In Fig. 4 A, and begins at step 402 with the advent of a clock timeout, that is to 
say that the clock (not shown) which defines the tone intervals Ik has completed 
another time period. At step 404 he routine determines whether there are any 
t is -no e del nk do s d > s ; s s No, which 

IS is the number < if requests in the detej bufe at m$ moment; if I ogNo is not greater 
5 * I quests m ids at step 40t hi 

the present ! of the \mt 

Interva 12 two rc sts, D I eoemula? nt t s » the routine 

> o S » s « i 1 s « ^ i R e. the o t b 

30 butter for the femes- to ss uamooUes: At step 4] 0, the routine then searches the 
h ! i s ' b r r us sis pvcrHmg the same destination host ana trans, t 3 ( 
io r-o. ire hpm behind this being that, in the event then, is a vims so the fust 
i Jts ns tune^oPQt i i v die virus are no? ,koo to ^Jete icas o 

any greater extent. This is followed at step 41 2 by updating the dispatch record so 
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dsa n vsv . M < rctleci.s the identify of the three most r^c^nth- ^ ;ek> hosts, and hi 

tK t v ! > ^ t N ! ' - 

MOO tlx II v. t.Vk v.! <>u > <^ v WOflSi 

5 i ogV d^s-one -i - . ct *i ~ * e wh\ti in tlx . v\ sr *p»c lollo^m ' *h 
tr ns v.* \V a >e^, N > 0"o * t 

The buffer size plays an iniports.ni role m implementation by the VAPS of another 

aspect of the po|« \ - n that »\ is p> ** , ; ! oeMieo, to i »tute *t \ ii mtbenon 

10 m forms of the size of the buffer, and the stage of any such viral infection by the rste 

, W>c> xo Iht*ioio\w~>um < < di < i Hi i * OKI 

, , v „ o ^ - v s , , 0 i^ s f » „ kmt nen \milh riaVdor 
egrttmaUT new s 5 ' * > < - s 1 . ily a relatively sma 

number of new destination hosts, whereas, becaus*. % es tend K pn pa »\ h> 
1 5 transmission to as many disparate destination hosts as possible, an instance of a large 

number of requests to contact a new destination host will typically be indicative of 

viral mfcctioi effe* veh queue of -new requests waiting to 

K i m e b v ,< tU t\ , on, -e^at on of V ! Ci<u^ ur. 

infection, since a large buffer size is indicative of a large number of requests to 
20 una v ■ > vi ! \ f s w v mi ! ' o o > * * 't«o n s 

j , , . , t nl k atoe of the <w > I vi t - ^ - ««. v. U to - . 

s u , v 1 h * c umoi { viral 

infeetioa. 

25 A second buffer management routine, i ilustraied in fig. 4B implements this part of 
Pie policy, and is triggered at step 440 try the occurrence of an update of die value of 
io V thsh m > i t»v - K v- n * ,it ^ oi ot^jt 
i ! lines whett Her ts greats 

\ n tq? not \ nfection 

30 o ( < , T * v , x u^;.oft I tt v, t- vrA 'm a ^ snai a' ! eri to a 

U , N V N K < Of v S < * ' » < ^ - ' ^ > t 

amggi to ' ovhiu'heneo s is des;red M step M( ttte 

rename dftenumea aIvJk. ttu urutu V, ss isiereasine abow a given rate, and 
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following which the routine ends, 

^ \AMti>^ n tuvx rob \ i , j o me k'-nt-rik \V<nui * 

5 w „ svt i " * ^ M „ it i 1 

i which a wb b, n abed horn rh, ena mter\d, i 1 n a^nca- dw mail s-oei i end 
two Ren/nests C are received. Because the de>p;«eh rcc« -rd ! * h-r tins tnrnc s\ " i } 
does not contain Request A. tics request is denied and sect to the delay buffer, while 
Un oaotia > t , o^ *> H ,e \ t , v * « n m < ,r ?\ d i ii« bulb 

id i in *. > > « * r 1 i nil i s- t isciit w i.mi 

Request A, and in accordance with the policy, the first butter management routine 
transmits Request h at the end of the time interval 13, meaning that at the start of time 
•vvnM mi « \i k mHP j . \ 1 i Kv ^ num 
time interval T4 is Request B (the File Server}, which illustrates that ever the coarse 

i 5 of three tune intervals dunnc w inch onh nomvd \ ^ oik tradh Ins been 

transmitted, cotinecttoii has only been requested to five different destination hosts. 
However, Request B is nonetheless defined as new because it's not in the dispatch 
record 216 for time interval 14, and so rs sen; to the buffer (this action being 
fo ^ ' * t 2C) Aftei r< < 

20 two gro v oi > v-< ^ ia lly sm u m as req uests an ec ve» 1 md K 0 .aw 
since these are also new, they are also added to the buffer upon receipt and 
P^n \f m\ b « u i x - i i r i v h 

seen that t 'mm » eased fron of one. to 12, and iccordam th 
policy, thss is defined as viral infection, since m the present example a buffer siee of 

^ * he onset of 

infection, 

v. v t n « S e „ X ^ t t S ' - 0 In 1 ♦ i 1 1 

30 i this has the ads-an tgoi I t 

provide us ' a tion \n addition, ddayh ! > t s onnectiomis 
earetaK s > < g compatible with 0,e optaatiu !e xv,-e s 

and networks. However* the V&PS may be configured to operate in a number of 
ways. For exampk. in accordance with an shernufhc embodiment, where the 
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compose- am ;\'. ^! ^ <. \ x m v . \ owag 1 iev|««'»i iw v a v on. 

and simply return a suitable error message to the dispatching, application programme 
b\ which the packs o*. > no I > ■- ^ - ^ ' ? , v 

uhvxi m:rn - dispatching app ct ti o usnc nih" if ihepaeksus 
5 m <■ s Ks } i \ 

a ! n. native c >hodi ent, the policy relai to ita mer of ? c <- 1 

tt' I r ! s * ' N 

corresponding to Trie .o ^ of new ^ s , t receded \ parncobr lane *u , 
and augmenting dus variable; u . a new request is received. Requests > ikea 
10 t u< n tt a . v. - s ! > , < t - i -■ ' 

d S{ < * h v > \ i ^ * v 

K Xi < I •> ' > t V i ' 

h he pic * ex f f - $i sis trans ite* re j«< ts hisio > 

15 order 1 e ( I v ?h t 

where contacted, i.e. No. 1 iraheaaag the host most recently contacted, and/No, 3 
indicating the >os I e previously {or "first m ! ou h 

is not essential, an sequ< ? ! i h \sm < in another 

order, such as "first in last evf for example. 

20 



, ! i'Hnd request 

<kvl) s \ . t \ W I W ^Oi 

^ i i . ! i ^' ' v. o n 5 > , This 

sub-requests, here having tee form of putative email messages intended for dispatch 
from the mail server to a list, of addressees specified within the outbound carrier 

3 ofasactingasa vow des * >at n 

host for the ultimate addressees specified in the outbound carrier request), in this 
30 i oo , xa o * pack* ! 1 - 

mail server wall in fact effectively allow the workstation to contact multiple other 
hosts wnhm the network {i.e. the specified addressees) all of which may he new. even 
< > \ vs oh the ro e oe.Sv dx. 1 'K v. ah logs 
m* x ^ e; w i! e * x - 1 J, s a^ v>i.\u! he 
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reeogmsed as new if, as may be likely, the mail server is identified in the current 
dispatch record. In such a situation therefore, is' - VAPS operates simply to restrict 
the number oi now desmaeum :n$5« to be contacted per time window on the basis 
only of those destination hosts which are ostensibly identified m the outbound 

reduced, because a single outbound request specifying the masi server does not 
necessarily represent only s single email subsequently propagating through the 
H'notx * <■ s j ' > ' >%s„fjj ^ s ><-! < -,*r\er 

10 o; nil t vs i bodnrau far described therefore, th VPS iodides 
t i M <n v n\ ! 1 

■arhoand roques ha \ ; > B tan ertaos appla:ahons progn i nes are 

more likely th se oat xn ! earnests v. h re voice i use of ; 

proxy (for example the above-mentioned instance of email or the ease of a web 
15 > ^ as ( ( > it , > < >t*v on the 

itb aim kelyto bt 

earner requests if the packet is generated by on ucl $pc m application 
programme then il \ v -> kestheu j 3 com 

* h\ > * i ' ^ i- vihr \ < . 1 > 

20 , 1 . occ^vs * - - , , , Jeuot.ca- e* 

Ills genuine or ultimate addressees have been obtained, there are several options for 
processing the request, hi accordance with one alternative the identities of the 
destination „ < < K - ! n i 

s •> v n * < > <• ; , » t , <- v uo u 

25 0 5 , n , , , j < v j ip ( r 

pwiou h * i s t i 

% so a k f <. , , f > \ , \ \p s v] a > j on > v 
dkm to be uansmiued s v. i vhat ma> ht oi" as th 

t| \ addressees may ? depending upon the operation of the email programme, either 
30 vj 0 1 u fo\ 1 * d.s4i>!t .^vg.sra 

akernativeiy be dead with an a different nucoeu v. been may also be specified m 
,ut enlunce wnh the t. or * ^ he s i u o a d ko n ? c- u ,n,uaied m 
connection with Figs. 2 and 3. 
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Since in the case for example >- . s < the use of outbound carrier requests io a host 
acting ?s?r > r-ate a exsecs of tin- ennui sies?. ges ts the norm, sf t$, 
io a mo - tbie for different versions of \ -MS u t simultaneous!) 

|f . t ! ! > » f - V V < t 

5 » v * i * n <. * > ? » < \ t p 

hosts specified rn any sub-requests identified by the enon; appbeatioo programme, io 
such a situation.- each V APS w.iH operate independently, using its own dispatch 
record rfiu' x s ^ ^ ! - v > v. .tacitisM 

ip k . x)' ^ > ^ ) . "s'lSU'n 

10 connection with logs. 2 and 

3, Pro On ore " > v;-io >i 

wmdov >fcon m .ration 7„, a >n new host per ouib tud reqttesosnb-requesf! 
or different as desired. 

! 5 ill > « C< I V V N l ^ X V X 

dispatch record, and the number of new hosts to be allowed per time > tdowate all 
dependent upon the likely ''norma'd performance of the network within which the 
VAPS ij ! \ YAPS 

is intended to control Therefore, while a policy such as that illustrated in eorsnactiou 

20 WitLFx^: ;er,vi< ^ * I pa vi>^ n the 

ootwo3 tei ec; > ew host p< time interval, it m&y also be 

vt t ^ v s % ^ v o i t > network traffic 

whose characteristic behaviour differs substantially < the policy the VAP$ is 
implememing. To ameliorate this ditneuhy, it is possible to provide a version of 

25 \ > a <. < t 

xX. S N , v ( , ' O , ! <■ v O X 

O , 1 ' X v V t V 

Rt: >A t \ * , Ss U Ci f | f 

?a x ' - < > } ! s 

U 'vvC ^ ap> o.o>ti\ tho pii t , - v i nn. erH„ » 

the? ail e o requests du its 4 relatively sw number oi 

requests are processed pet time interval, and thai therefore it is possible to use the 
W S < ( " x *" > t t o v a x f < rev io t o 
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time uuerva scant extent 

f t&k!; ov<„ e a \ - ' i i -_i i ,i s nF« ^ 

* 5 ' 1 i 5 <> ! Rich v S 0 

In 1iT«vh 'uv s. khi\iu L 5 x pexdum 
5 permitting . im > t to one new host per 'u interval, where a time intervals are 
n < o > < uM mil mt rrpstk < y« oi ? ^ , network 
traffic illustrated it? Fig. SB. ideally therefore, an alternative policy is required which 
1 o <s * ^ ' ghh a a ooUn is 

iastrated referring no* < ! < s linstrated 

10 S . a rckun civ long o c > ah and S,. a relaiooh short in nu From Fig. 
5C ' nht se n t ui? who; placed together altema c he tin c interna Si 
corresponds to the time interval in the graph of the traffic flow from Fig, SB where 
there is a flow of traffic, and the time interval S, to the time interval between two such 
umc intervals, where there is no traffic How, By segmenting time for a VAPS using 
1 5 these two time intervals therefore, it is possible to construct a policy which matches 
^ < woJ-n \ luvmed it <, i ^ stfi pu*nie\«n 
dW i » t | x v s \ N \ m k 

implemented using the variable LogNo, which as explained above corresponds to the 
i eat ! < n the delay bu1 > terva) 

20 la the present example it is desirable to implement a policy which does not impede 
die free flow office legitimate traffic pattern illustrated m the. 5C and referring now 
to Fig 6, to this end a modified first hatter management routine is provided. 
Following a clock timeout at step 502., the routine determines at step 604 whether the 
cm ' On » i p' xlete.rm.med number, lXl tins instance 10, this number being 
25 chosen, in conjunction with the number of request identities held in the dispatch 
meoKl, to be equal c \nJr, sew no 0 t m < ! < q , t u-:w,q iAt 
daring a "long" time interval S;. if LogNo is greater than this number then the 
> ! v v t mhs irsti k- d 

l e i , xs , s«. s ,n< (>m s 1 _ f n 

30 the record is updated, and the value of LogNo is undated. If LogNo is less than 1 1), 
ssthan 1 v reque ^s ? ( rseof* 

interval then the routine proceeds to step 606, at which it determines whether a 
further enable LogNotast, equal to the number of new requests received during the 
previoa time erval sg xo It is hen n? rout e default o, 
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agv so -a ten ou h h u<~>^ ~ 'Ki'.'Vi Uv' 1 ^ " vu>HfaiStf ' 

\i s ■a ere ! i v < ! i „ s ?. v, i n see si 

( ? s a ' f ? ! I $ u f ! < r u 1 < la^ u ci iOlo 

the steps 6 12 to Oh Thus. « en 10 or less v requests are received 
5 interval, and no new requests were received during the previous tunc window, the 

i t ! s N-! ! ( ! i - >ui i,e n ' m d 

< ( n„ K en •> ^ ^\ ,Uv ! v. k> ^< \ v ! . t v. u n - <. tf |< cMOU 
ne i n t or , , >ondi n any time window win 

f ?w ! v. (. « if !h<n s 3 <h 

10 ngei -va!) or wh j 1 re were n oix that 

zero new request;; kSj s the partem of legheriafe traffic how illustrated in fig. 
BUh rout wu* its to wh ma ? i of as; the n\ d policy of o 

ictev ( teiyu be virail> 

IS implements a policy which conforms generally to the behaviour pattern illustrated tr 
Fig. SC. 

Inn mo*. * ^ > n \<K <* 

different lengths, and a modified version of the heller management routine, 
20 '<-v v ' v I t > » « " v f< s n s 

X C v . < n V * \ i ' < N ? X i ? , , „ 

«. ew s\ ^ t > <. h ! m <. unh v-the 

be o st id ere ; , duyouch ;wcord, th erebs 

ui v <> e v ! n v < ! ! , oi 

25 he regarded as being eew aed consequently easisueiUog a a cm a number of 

destmation hosts per tutu r ; raj o $ the case o Fu K and 6, per alternate time 
mtena 1 ^ . " t h r < ? < 

! 1o* o< f-;g SBwasoasmtu .v ' r, <si: fes t on hosts vh.,*^ 
identities are the same, or similar each time. To achieve this? for she traffic How of 
30 SB, tw< \ <. i «. e s f ( esti > i d: or * 

V S V N V < t ) > \ < s li> ! f! 

intervals $ s> containing no destination host identities, with the two dispatch records 
being used aln r\u h Ko^e>er ; < ao t w w * <. t e *. n nun nr e mw 

^clatvKV ^ eo contact with (in this o c ^<_> 



16 



t ' ! tc \ A thu *o u > ^ v >a. lu&t^i v s< > 

^ o ,! j kj;n H ;rifhv t\ w 

0 l ! r > pi <: ilH 

5 provision 53 made for contact with 10 new destination hosts per time interval $ t , a 

1 v <. ibles NreqNo, and 

i > v t tif Ut f 

^< \ t> . t- cOUftmp'«o\Xvi I 0 

10 s t r I ' a s o k v U ? o, 

are sadshed, i.e ! ReqNo ss ! than 10, AMD ReqNo lest was equal to ee:o This 
odificaa ? tl mt >f all * est ss umneduueiy, which « 

^ x I t < s ? <■ <■ 

i. 5 >. i * s 5 <S 

! 5 stored in. the delay buffer, which as previously, mm- oik enables an indication of viral 

'a "f' *' ll, > , i < toA, < . 1 <- 
'ii'l H f t " > > < i < i s 1 " ks< if.OT \ ,{) 

< u t % > k r sinrvC '(d u d 

20 , 1 1 i t rt h *• uth it; > > m< ■> t s o t > \ < n 

^ ! <X x v 1 > s V i V V 50 > O J 

U» m.gh the network 

The use of a different rurinmg concurrently., with one VAPS per application 
25 > i • < * f 

implants > p <. , j » , ; , s and thus 

^ iv. \ 5 ^ s 0 ! 1 > n } • 5 > < ! > 

* 5 I - iated use 

of application progranjmes. Other unpiertientaUons gre possible, such as: a single 
30 \ \r\ p ^ ,j . \ n i | | , { , , , , ■> j t t >n >t 
x V ^ u < v>,< * \ i > P r -<n -n ir, 

some of which deal with traffic to a particular destination port (which may he thought 
of generally as dealing with traffic using a particular commtmications protocol); or a 
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plurality ofVAPS may be provided with each one ui; with traffic Cor a. particular 
destination port, 
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CLAIMS 

1, l ! O M' 0< ! v. < y k ids S C 5t\ < 

hosts, comprising the steps of: 
5 j> £ >! i i i ? u 1 ^ ( p v ^ru c^i^ 

record which is at least indicative of identities of hosts to whom data has been seat by 
the first host; and 

hnanro- passes * f ? * < tra a is to other hosts aohm the network 
over the course of a first time interval, so that during the first time interval the first 

10 hi > i ' > < { s s i r 

record. 

2, J i ! t o n ti> < >, , vi i v x n ^ u m > > 
the identities of bests to whom data has been sent by the first host over the coarse of a 

: 5 further time interval which precedes the first time interval 

3, A method a 

record to include the identity at least one host to whom data was sent by the first hast 
during the first eme interval and which was not in the record during the first time 
20 interval 

4 s a ' o d 4 " 

> i < ho 4 i ot 

previously in the record, the sdemitx of a host pr®\ mush stored in the record is 
25 deleted therehoiu. 

5. A met oh at cording to chum 2 wherein the fiat and fiirtha trim intervals are 
c t prece : e no \ nee oca.; h o n . 

30 t Km s. t i < vhem first at t » c i 

ot equal duration. 

7. A method according to clai.ni 1 , wherein the method mciades the step of 
generating a request to send data from the first host to another host within the 
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tnvod i where ds res of hosts to s\ hoi data ha been sent are monitored 
monitoring requests, 

5 S K metho ! rd i cUun 7 furth« c ^prisma he step < est ! 
< f p uns at « Jest to s i 

h< to ho<> hJ , t > m > w v 1u i 5 <. i m t - ■« n >x\ 1 

v 5 ( h * H > *!<! 

10 S, A) ( i i t s v 

i > S > I 1 t *- ! ! 

i K^pr n <■ < sJ , > f < ? n K hot hno to 

other hosts within the network over the course of the Erst time interval, so that during 
it i k a is unable to sen mi to more than « 

15 srerietemm d nha id Us noun the ihnher record 

10, A method according to claim t Euther comprising the step of diverting 
requests to contact hosts not in the record to a delay buffer 

20 1 x a !\ uv i. i at ik t 

est fimeimervah o s < * ! . of piests he 

delay buffer. 

12. '\ method according to claim 1 1 further comprising the step of monitoring the 
25 s * i \ i j * 3s) ; 

size, generating a warning. 

13. A ft* of I* Heufy „ p. hnsdus o\ ho\m, at k\; o a Omf oom ef\mm.h mchujes a 
ga v s< > It * > ! i , v < em * 

30 momtor re jest I - 05 1 * the drst host ?o s rd data to other hosts; 

. ri3 rd ol tid ! i > i * < i i 1 se 

p cat h to n- 'h. : I r- I 

whose identity is not in the record. 
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14 Art ftoH oorti<n^ ook s » J ^K'e c t; 4 a a „ ? <Up?cJ to s i u>r 
h. ^ni.rsv <. s i > v % > < r i 1 tj it d 

5 number of occasions in any given time interval. 

f que s ( is wix ' i < * i. delay bulla 
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